This invention relates to digital signatures and email, and more particularly, to systems and methods that use digital signatures to distinguish trusted from untrusted email.
Electronic messaging has become an important tool for communications between businesses and with customers. One major problem with electronic messaging is that the mechanism that authenticates the sender of a mail is fairly weak. The currently most frequently used system relies on the messaging server of the sending entity to correctly identify both itself and the sender of the email. By setting up their own messaging server, a potential malicious user can easily circumvent this mechanism. Two examples of malicious users abusing this system are spam and social engineering. They occur most frequently in the context of email, however they are not limited to this specific type of electronic messaging.
Spam is usually unsolicited commercial email that is sent by a sender to a large number (often millions) of recipients to advertise a product or service. As spam is often illegal, the sender of spam will often try to disguise their identity. By setting up their own mail server they can easily do this. The mail server of the recipient currently has no effective mechanism that it can use to verify if the sender of a mail message is genuine or not.
With social engineering ploys, a forged email is sent to a recipient that appears to be sent by an entity that the recipient knows or trusts. The message content attempts to trick the recipient into performing actions that can be exploited by the sender. For example a sender could send an email that appears to be from the recipient's bank. This email could ask the recipient to go to a specific web page and enter his credentials for the bank's web site. This web page could appear to be an official web page from the bank, however, it would really be controlled by the malicious sender. The sender would obtain the recipient's login credentials for the real bank web site and could use them for withdrawing or transferring money from the recipient's bank account. By sending the forged email to a large number of recipients, a malicious sender can do substantial amounts of damage.
Digital signatures are a mechanism that can be used to prove the authenticity of emails. A digital signature is usually based on or related to a public key cryptography system. A well known public key cryptography system is the RSA system. Another possible public key cryptography system is an identity-based encryption system. In such a system a sender can generate a private and public key pair. The sender may publish his public key and make it available to any interested party. Using the private key, the sender can cryptographically sign electronic messages, for example email. A recipient or network service provider can use the public key to verify the signature of an electronic message.
It is an object of the present invention to provide mechanisms that protect recipients from unsolicited or forged emails.